Midsize Enterprises: Strengthen Security For today's Threat Landscape
Midsize enterprise (MSE) IT leaders are responsible for securing their enterprises against the same complex threat landscape as CISOs in larger organizations, but they are challenged to do so with fewer staff, limited security tools and smaller budgets.
According to Gartner research, only 5% of an MSE’s IT spend was allocated to security in 2021. Furthermore, more than half of MSEs do not have a CISO, meaning cybersecurity falls under the CEO, CIO or another line of business leader, who must divide their time and attention among a wide range of IT and business responsibilities.
Despite fewer resources, MSE organizations can still effectively protect against ransomware, supply chain risks and other threats. Here are the key steps that MSE IT leaders can take to strengthen their security against today’s complex threat landscape.
MSE CIOs cite security as the top technology skill gap in their organizations. In fact, most MSEs lack dedicated cybersecurity personnel on the IT team; Gartner research shows that a dedicated security resource does not emerge until there are at least 21 people in the IT group. Developing a workforce strategy around security is paramount to a successful MSE security program.
As MSE IT leaders don’t have the time or money to compete for security talent, they must focus on distributing security roles and functions to their existing team members. Identify internal people with select competencies in five critical security categories:
With small teams, it is not uncommon to have one individual responsible for several of these security roles. Offer training opportunities for staff in these areas, which will not only help improve security processes and practices in the organization but can also support IT talent retention.
Around-the-clock monitoring is critical to quickly respond to and contain security incidents, but to run a daily security operations center 24x7, you must have a minimum of 8 to 12 security analysts. This is not achievable for most MSE organizations.
Leveraging a managed security service provider (MSSP), managed detection and response (MDR) services, or an endpoint detection and response provider (EDR) can complement a role-based approach to security by providing support for resource-intensive monitoring. In most MSE environments, it is possible to contract a managed service provider for less than the cost of one senior, full-time equivalent employee.
Identifying a vendor or mix of vendors ideally suited to MSE requirements can be difficult. Although the MSSP market is maturing, there is no “one size fits all” vendor to address all cybersecurity threats. When contracting an MSSP, ensure that the provider:
Within any size organization, managing security is a complex task. An MSE CIO’s security responsibilities not only encompass thwarting unrelenting threats, but also addressing compliance within a fast-changing regulatory landscape, providing assurance for growing customer security concerns and more.
Therefore, MSE CIOs must be highly effective to manage this full plate of security responsibilities. They can do so by following the lead of highly effective CISOs at larger organizations.
Gartner research has found that the most effective CISOs are skilled executive influencers, future risk managers and workforce architects. They actively develop their teams by focusing on diverse competencies and addressing talent gaps with non-security resources. These CISOs aren’t bogged down by security alerts and decision fatigue, but are instead focused on what is controllable: their own behaviors and mindsets.
Most importantly, these CISOs build strong relationships with senior leadership across the enterprise, particularly those outside of IT such as the CEO and Board of Directors. By maintaining these relationships, these CISOs are at the forefront of conversations with decision-makers about security and risk, enabling them to proactively identify and manage future threats to the organization.
MSE CIOs and IT leaders face a challenging role and complex set of responsibilities, including security and risk management. By understanding the critical components of a strong cybersecurity program, MSE IT leaders can develop a roadmap for using the resources at their disposal to enhance their security posture and protect against cyberthreats.
This article was written by Paul Furtado from Cybersecurity Dive and was legally licensed through the Industry Dive Content Marketplace. Please direct all licensing questions to email@example.com.
The information above is provided as a convenience, without warranties of any kind and MUFG Union Bank, N.A. disclaims all warranties, express and implied, with respect to the information. You are solely responsible for your company’s cybersecurity practices.